A press release from the Information Commissioner’s Office indicates the Commissioner wants some insider privacy or data breaches to result in jail terms. While most of the examples he provides have been previously covered on my blogs, he also reveals this disturbing breach:
The call for action comes as a bank cashier yesterday pleaded guilty to using her position to access illegally the personal details of a sex attack victim. The cashier’s husband had been convicted of carrying out the attack and was serving time in jail. Sarah Langridge – a former employee of Barclays Bank – claimed she accessed the victim’s accounts and banking records to try to build a picture of the woman who had accused her husband. Mrs Langridge was fined £800, made to pay £400 costs and a £15 victims’ surcharge in a hearing at Brighton Magistrates Court.
[…]
In this latest case, Mrs Langridge’s offences were uncovered following a court hearing concerning her husband’s sentence for committing a serious sexual offence. His victim recognised Mrs Langridge in court as working at the local bank branch she used. Concerned that her account had been unlawfully accessed, the victim contacted Barclays bank and the police. The bank’s enquiries found that Mrs Langridge had regularly accessed the victim’s records on eight separate dates over a period of eight months – the period during which her husband’s court case was ongoing.
Mrs Langridge viewed the victim’s account records including her personal details, current account entries, lending records and employer details. During an interview under caution, the defendant claimed that she had not made a record of any of the information she viewed and had not disclosed it to her husband or any other third party.
Read more on the ICO’s web site.
Imagine if every case of insider snooping resulted in court charges and fines. It could totally tie up the court system.
But what about those in the UK who were responsible for controlling access to personal information? While I fully endorse holding rogue employees accountable, shouldn’t there be some undertaking of consequences when the businesses or data controllers have failed to provide adequate security? The states or HHS can fine entities here, and have done so in the past. Should the UK be doing that, too?